Rpr 28 05 02:46p SVIPG 



408 971 4660 



p . 5 



-2- 

TN THE CLAIMS: 
Amended claims follow: 

1 . (Currently Amended) A computerized method to prevent identification of an 
operating system executing on a computer connected to a network comprising: 

intercepting a portion of outgoing network data characteristic of the operating 
system; and 

masking the portion of outgoing network data to impersonate a different operating 
system in accordance with a security policy if the network is an untrusted network; 
wherein masking the portion comprises: , 

replacing the portion of outgoing network data with data characteristic of 
the different operating system . 

2. (Original) The computerized method of claim 1 , wherein masking the portion 
comprises: 

discarding the portion of outgoing network data. 

3. (Cancelled) 

4. (Original) The computerized method of claim 1, wherein the security policy 
identifies the portion of outgoing network data and specifies an action to take to mask the 
portion of outgoing network data. 

5. (Original) The computerized method of claim 1 , wherein the security policy 
further specifies replacement data for the portion of outgoing network data, the 
replacement data characteristic of the different operating system. 

6. (Original) The computerized method of claim 1 , wherein the security policy 
further defines the network as untrusted. 
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7. (Original) The computerized method of claim 1 further comprising: 
receiving the security policy through the network. 

8. (Original) The computerized method of claim 1 further comprising: 
modifying the security policy based on user input. 

9. (Original) The computerized method of claim 1 further comprising: 
transmitting the portion of outgoing network data unchanged if the network is a 

trusted network. 

10. (Original) The computerized method of claim 1 further comprising: 
intercepting a portion of incoming network data; and 

sending a false response to the portion of incoming network data to impersonate 
the different operating system in accordance with the security policy if the network is an 
untrusted network. 

1 1 . (Original) The computerized method of claim 1 0, wherein the security policy 
identifies the portion of incoming network data and the false response. 

12. (Original) The computerized method of claim 1, wherein the method is integrated 
into a firewall that protects the computer. 

13. (Currently Amended) A computer-readable medium having executable 
instructions to a cause a computer to perform a method comprising: 

intercepting a portion of outgoing network data characteristic of an operating 
system executing on the computer when the computer is connected to a network; and 

masking the portion to impersonate a different operating system in accordance 
with a security policy if the network is an untrusted network; 

wherein masking the portion comprises: 

replacing the portion with data characteristic of the different operating system . 
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14. (Original) The computer-readable medium of claim 13, wherein masking the 
portion comprises: 

discarding the portion. 

15. (Cancelled) 

16. (Original) The computer-readable medium of claim 13, wherein the security 
policy identifies the portion and specifies an action to take to mask the portion. 

1 7. (Original) The computer-readable medium of claim 13, wherein the security 
policy farther specifies replacement data for the portion, the replacement data 
characteristic of the different operating system. 

1 8. (Original) The computer-readable medium of claim 1 3, wherein the security 
policy further defines the network as untrusted. 

1 9. (Original) The computer-readable medium of claim 1 3, wherein the method 
further comprises: 

receiving the security policy through the network. 

20. (Original) The computer-readable medium of claim 1 3, wherein the method 
further comprises: 

modifying the security policy based on user input. 

21. (Original) The computer-readable medium of claim 1 3, wherein the method 
further comprises: 

transmitting the portion unchanged if the network is a trusted network. 

22. (Original) The computer-readable medium of claim 1 3, wherein the method 
further comprises: 

intercepting a portion of incoming network data; and 
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sending a false response to the portion of incoming network data to impersonate 
the different operating system in accordance with the security policy if the network is an 
untrusted network. 

23. (Original) The computer-readable medium of claim 22, wherein the security 
policy identifies the portion of incoming network data and the false response. 

24. (Original) The computer-readable medium of claim 13, wherein the instructions 
are operable for integration into a firewall. 

25. (Currently Amended) A computerized system comprising: 
a processing unit; 

a memory coupled to the processing unit through a bus; 

a network interface coupled to the processing unit through the bus and further 
operable for coupling to a network; 

an operating system executed from the memory by the processing unit; and 

a fingerprint masking process executed from the memory by the processing unit to 
cause the processing unit to intercept a portion of network data characteristic of the 
operating system w r hen the network interface is coupled to the network, and to mask the 
portion to impersonate a different operating system in accordance with a security policy 
if the network is an untrusted network- 

wherein the fingerprint masking process further causes the processing unit to 
mask the portion bv replacing the portion with data characteristic of the different 
operating system . 

26. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to mask the portion by discarding the portion, 

27. (Cancelled) 
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28. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to transmit the portion unchanged if the 
network is a trusted network. 

29. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to receive the security policy through the 
network interface. 

30. (Original) The computerized system of claim 25 further comprising a user input 
device coupled to the processing unit through the bus and wherein the fingerprint 
masking process further causes the processing unit to receive input through the user input 
device and to modify the security policy based on the input. 

3 1 . (Original) The computerized system of claim 25, wherein the fingerprint masking 
process further causes the processing unit to intercept a portion of incoming network data 
when the network interface is coupled to the network, and to send a false response to the 
portion of incoming network data to impersonate the different operating system in 
accordance with the security policy if the network is an untrusted network. 

32. (Original) The computerized system of claim 25, wherein the fingerprint masking 
process is integrated into a firewall process that is executed by the processing unit. 

33. (Original) The computerized system of claim 25, wherein the computerized 
system is a firewall and the fingerprint masking process masks an operating system on a 
computer coupled to the firewall. 

34. (Currently Amended) A computer-readable medium having stored thereon an OS 
fingerprint policy data structure comprising: 

a data unit type field containing data representative of an identifier for a type of 
data unit, wherein information associated with the data unit is characteristic of an 
operating system; and 



PAGE 9/19 * RCVD AT 4/28/2003 5:44:23 PM [Eastern Daylight Time] * 8VR:U8PTO-EFXRF-1/2 * DN1S:8729308 * CSID:408 971 4660 * DURATION (mm-ss):06-42 



Rpr 28 05 02:47p SVIPG 



408 971 



4660 



p. 10 



-7- 

an action field containing data representative of an action to be taken to mask the 
information associated with the data unit identified by the data unit type field; 
wherein masking the information comprises: 

replacing the information with information characteristic of a different operating 

system . 

35. (Original) The computer-readable medium of claim 34 further comprising: 

a re- fingerprint field containing data representative of an identifier for a field type 
within the data unit type identified by the data unit type field, and further containing re- 
fingerprint data that identifies replacement data for the field identified by the field type, 

36. (Original) The computer-readable medium of claim 35, wherein the re-fingerprint 
data is selected from the group consisting of the replacement data and a location for the 
replacement data. 

37. (Original) The computer-readable medium of claim 34 further comprising: 

a re-fingerprint field containing data representative of an identifier for a field type 
within a false response to the data unit type identified by the data unit type field, and 
further containing re-fingerprint data that identifies false data for the field identified by 
the field type. 

38. (Original) The computer-readable medium of claim 37, wherein the re-fingerprint 
data is selected from the group consisting of the false data and a location for the false 
data. 

39. (Original) The computer-readable medium of claim 34 further comprising: 

a network identifier field containing data representative of an identifier for a 
network that is untrusted when transmitting the type of data unit identified by the data 
unit type field. 
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40. (New) The computerized method of claim 1, wherein the security policy contains 
data on a plurality of different operating systems for allowing the portion of outgoing 
network data to impersonate any one of the plurality of different operating systems. 

41 . (New) The computerized method of claim 40, wherein each of the different 
operating systems included in the plurality of different operating systems is assigned a 
specific untrusted network for masking the portion of outgoing data according to the 
untrusted network. 

42. (New) The computerized method of claim 10, wherein the false response is sent if 
the operating system would normally not respond to the incoming network data. 
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